US6643648B1ExpiredUtility

Secure, limited-access database system and method

91
Assignee: RAF TECHNOLOGY INCPriority: Jun 30, 1999Filed: Jun 30, 2000Granted: Nov 4, 2003
Est. expiryJun 30, 2019(expired)· nominal 20-yr term from priority
Y10S707/968Y10S707/99938G06F 21/6227Y10S707/959Y10S707/99939Y10S707/917
91
PatentIndex Score
107
Cited by
15
References
25
Claims

Abstract

A limited-access database system is designed for rapid access of data records with reduced memory storage requirements. The database system employs a set of obfuscated data records stored in data crystals that can only be accessed and read by an iterator, which is not directly accessible by the users of the database. The iterator accesses information responsive to a predefined query sent from a customer application. Rather than providing general tools to customers for constructing any possible queries, such as is done in structured query language database systems, database systems embodying the present invention allow only predefined types of queries to be used by customer applications. By restricting the types of queries customer applications can call, valuable data records remain secure from unauthorized reconstruction or duplication while still allowing limited access for specific purposes.

Claims

exact text as granted — not AI-modified
What is claimed is:  
     
       1. A database system regulating access to one or more data records according to authorized access rights, the database system comprising: 
       one or more data crystals storing one or more data records in an obfuscated format;  
       one or more iterators, each iterator programmed to access, deobfuscate, and return at least one of the one or more data records in response to a data request;  
       one or more queries, each query predefined to receive an indication of an authorized type of data requirement, to request at least one data record from the iterator, and to select from among the returned at least one data record a requested data record satisfying the data requirement; and  
       a key crystal granting access rights for the database system;  
       wherein:  
       the access rights include crystal permissions;  
       the crystal permissions divide the one or more data crystals into active data crystals and inactive data crystals; and  
       the inactive crystals are inaccessible during operation of the database system.  
     
     
       2. The database system of  claim 1 , wherein the crystal permissions are determined by accessing the key crystal during database start-up. 
     
     
       3. The database system of  claim 1 , wherein each iterator is unavailable for accessing the data records if the corresponding data crystal is specified as inactive in the crystal permissions upon receipt of the request from the query. 
     
     
       4. The database system of  claim 1  further comprising a second key crystal granting second access rights, the second key crystal supplanting the first key crystal. 
     
     
       5. A database system regulating access to one or more data records according to authorized access rights, the database system comprising: 
       one or more data crystals storing one or more data records in an obfuscated format;  
       one or more iterators, each iterator programmed to access, deobfuscate, and return at least one of the one or more data records in response to a data request;  
       one or more queries, each query predefined to receive an indication of an authorized type of data requirement, to request at least one data record from the iterator, and to select from among the returned at least one data record a requested data record satisfying the data requirement; and  
       a key crystal granting access rights for the database system;  
       wherein:  
       the access rights include query permissions;  
       the query permissions divide the one or more queries into active queries and inactive queries; and  
       the inactive queries are inaccessible during operation of the database system.  
     
     
       6. The database system of  claim 5  wherein the iterator deobfuscates and accesses the one or more data records only upon receiving the request from an active query. 
     
     
       7. The database system of  claim 5  further comprising a second key crystal granting second access rights, the second key crystal supplanting the first key crystal. 
     
     
       8. A database system regulating access to one or more data records according to authorized access rights, the database system comprising: 
       one or more data crystals storing one or more data records in an obfuscated format;  
       one or more iterators, each iterator programmed to access, deobfuscate, and return at least one of the one or more data records in response to a data request;  
       one or more queries, each query predefined to receive an indication of an authorized type of data requirement, to request at least one data record from the iterator, and to select from among the returned at least one data record a requested data record satisfying the data requirement;  
       a key crystal granting access rights for the database system; and  
       a versionless iterator and installable code for the versionless iterator, the installable code allowing the versionless iterator to deobfuscate and access the one or more data records in a different version of a corresponding data crystal.  
     
     
       9. A database system regulating access to one or more data records according to authorized access rights, the database system comprising: 
       one or more data crystals storing one or more data records in an obfuscated format;  
       one or more iterators, each iterator programmed to access, deobfuscate, and return at least one of the one or more data records in response to a data request;  
       one or more queries, each query predefined to receive an indication of an authorized type of data requirement, to request at least one data record from the iterator, and to select from among the returned at least one data record a requested data record satisfying the data requirement; and  
       a key crystal granting access rights for the database system;  
       wherein the access rights are limited according to a criterion selected from a group consisting of: a customer identifier, a customer site, a customer computer system, an expiration date, and a number of times accessing the database system.  
     
     
       10. A controlled access database system comprising: 
       a plurality of data crystals, each data crystal containing at least one data record employing an obfuscation technique;  
       an iterator programmed to access the at least one data record according to the obfuscation technique;  
       at least one query of a predefined type:  
       wherein one or more of the at least one query is called by an application with a data requirement;  
       wherein the data requirement of the application determines the one or more called query; and  
       wherein the one or more called query employs the iterator to access the at least one data record; and  
       a key crystal granting access rights to the database system;  
       wherein the access rights are limited according to a criterion selected from a group consisting of: a customer identifier, a customer site, a customer computer system, an expiration date, and a number of times accessing the database system.  
     
     
       11. A method for building a controlled-access database for preventing unauthorized access to data records, the method comprising the steps of: 
       obtaining a data record; storing the data record in a data crystal in an obfuscated format;  
       providing an iterator to access and deobfuscate the obfuscated data record;  
       providing a query to request the iterator to locate and access the data record only in accordance with a preauthorized type of data requirement;  
       providing a key crystal authorizing use of the data crystal and the query according to the preauthorized type of data requirement;  
       obtaining a second data record;  
       storing the second data record in a second data crystal in an obfuscated format; and  
       specifying, in the key crystal, access rights rendering the first data crystal active and the second data crystal inactive.  
     
     
       12. The method of  claim 11  further comprising the step of providing a second key crystal, the second key crystal specifying second access rights supplanting the first access rights specified by the first key crystal. 
     
     
       13. A method for building a controlled-access database for preventing unauthorized access to data records, the method comprising the steps of: 
       obtaining a data record;  
       storing the data record in a data crystal in an obfuscated format;  
       providing an iterator to access and deobfuscate the obfuscated data record;  
       providing a query to request the iterator to locate and access the data record only in accordance with a preauthorized type of data requirement;  
       providing a key crystal authorizing use of the data crystal and the query according to the preauthorized type of data requirement;  
       providing a second query to request the iterator to locate and access the data record only in accordance with a second preauthorized data requirement; and  
       specifying, in the key crystal, access rights rendering the first query active and the second query inactive.  
     
     
       14. The method of  claim 13  further comprising the step of providing a second key crystal, the second key crystal specifying second access rights supplanting the first access rights specified by the first key crystal. 
     
     
       15. A method for building a controlled-access database for preventing unauthorized access to data records, the method comprising the steps of: 
       obtaining a data record;  
       storing the data record in a data crystal in an obfuscated format;  
       providing an iterator to access and deobfuscate the obfuscated data record;  
       providing a query to request the iterator to locate and access the data record only in accordance with a preauthorized type of data requirement;  
       providing a key crystal authorizing use of the data crystal and the query according to the preauthorized type of data requirement; and  
       storing a plurality of data records;  
       wherein:  
       the iterator accesses and deobfuscates one or more of the plurality of data records and returns the one or more data records to the query; and  
       the query determines if each of the one or more returned data records satisfies the preauthorized data requirement.  
     
     
       16. A method for building a controlled-access database for preventing unauthorized access to data records, the method comprising the steps of: 
       obtaining a data record;  
       storing the data record in a data crystal in an obfuscated format;  
       providing an iterator to access and deobfuscate the obfuscated data record;  
       providing a query to request the iterator to locate and access the data record only in accordance with a preauthorized type of data requirement;  
       providing a key crystal authorizing use of the data crystal and the query according to the preauthorized type of data requirement; and  
       creating an application for calling the query, the application having direct access to the query and having access to the iterator, the data crystal, and the obfuscated data record only through the query.  
     
     
       17. A method for creating a controlled-access database and providing a customer with customer-specific access rights to the database, the method comprising the steps of: 
       generating a plurality of data crystals, each data crystal to store a data record in an obfuscated format;  
       providing a plurality of iterators, each iterator to deobfuscate and access the data record in a corresponding data crystal;  
       providing a plurality of predefined queries, wherein each query calls one or more iterators in response to receiving an indication of a specific data requirement; and  
       providing a database customer a key crystal, the key crystal granting query permissions and crystal permissions, the crystal permissions specifying inactive crystals and active crystals among the plurality of data crystals, and the query permissions specifying inactive queries and active queries among the plurality of queries.  
     
     
       18. The method of  claim 17  further comprising the step of, at a subsequent time, providing the database customer a second key crystal, the second key crystal granting second crystal permissions supplanting the first crystal permissions and second query permissions supplanting the first query permissions. 
     
     
       19. The method of  claim 17  further comprising the steps of: 
       making the active queries available to an application exposed to input data in an input data stream;  
       in response to receiving the input data, allowing the application to request a query to call an iterator to access and deobfuscate the data record; and  
       in response to the input data not matching the data record, storing the input data in a data crystal.  
     
     
       20. The method of  claim 19  further comprising the step of transferring the stored input data to a vendor of the database. 
     
     
       21. The method of  claim 20  wherein the storage site is a removable storage medium and the transferring step is done by removing and transferring the removable storage medium. 
     
     
       22. The method of  claim 20  wherein the transferring step is through a remote connection over a network. 
     
     
       23. The method of  claim 20  further comprising the steps of: 
       performing statistical analysis on the stored input data;  
       in response to a favorable statistical analysis, updating at least one of the plurality of data crystals with the stored input data.  
     
     
       24. The method of  claim 23  further comprising the step of providing the at least one updated data crystal to the database customer. 
     
     
       25. The method of  claim 19  further comprising the steps 
       performing statistical analysis on the stored input data;  
       in response to a favorable statistical analysis, updating at least one of the plurality of data crystals with the stored input data.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.